Windows Forensics and Incident Recovery
Notes
Windows Event Log
-clearing the Security Event Log generates event ID 517
-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"
-Logon events http://support.microsoft.com/default.aspx?kbid=174073
-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714
-More security Events http://support.microsoft.com/kb/174074/
CMD Line History
- doskey /history or the RunMRU registry key
File Associations
- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile
- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command
- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back
Hidden Files
- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes
Scheduled commands
- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks
File Signatures
- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension
- a good list of file headers http://www.techpathways.com/uploads/headersig.txt
File Times(MAC Times, Modified Accessed Created)
- C:\>dir /ta ----> lists in order last accessed
- The Unix touch cmd has been ported to windows http://www.dwam.net/docs/aintx/
- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog
FileBinding-
- Elitewrap will combine 2 files and compress http://homepage.ntlworld.com/chawmp/elitewrap/
- GUI version inPEct http://sysdlabs.hypermart.net/proj/inpect.txt
ADS(Alternate Data Stream)
- Lads will detect this http://www.heysoft.de/Frames/f_sw_la_de.htm
- Also Streams from sysinternals http://www.sysinternals.com/utilities/streams.html
- the best way to remove an ADS is to copy the file, delete the old, and rename
- ADS can also be created as directories ---> echo "FooBar" > :ads.txt
- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe
- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also
- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt
Registry Hiding
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp
Document Metadata
- Strings from sysinternals will also find metadata http://www.sysinternals.com/utilities/strings.html
- rhdtool from MS will remove metadata http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en
OLE Storage
-Merge Streams will combine files http://www.ntkernel.com/w&p.php?id=23
Steganography
- Free Tools at http://home.earthlink.net/~emilbrandt/stego/software.html (S-Tools4)
- Hydan is also popular http://www.crazyboy.com/hydan/
Windows Server Port List
- http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
NTFS Conversion
- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\
NSA Templates
- you can download OS templates for windows secedit(Local Security Policy) http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1
GPO settings
- gpresult.exe can be run to find policy settings http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
Login Restrictions
- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194739
IIS Application mappings
- using the MMC, bring up application mappings and disable all uneccessary mappings
- IIS Lockdown and URLscan can provide additional security for ISS servers
Windows File Protection
- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache
- the cmd line utility sfc can be used to replace modified files
Perl lib Win32::AdvNofity
- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you. http://idnopheq.perlmonk.org/perl/packages/x86/Win32/
Patch Management
- Download MBSA here http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
- Shavlik Trial http://www.shavlik.com/pDownloadForm4.aspx?productid=1
Web Vulnerability Assessment
- Free tools available at http://www.ntobjectives.com/freeware/index.php
Centralized Logging
- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)
- port reporter provides mapping logs http://support.microsoft.com/?id=837243
Volatile Information Recovery
- C:\>date /t && time /t , recovers system date and time for comparision
- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals
- psloggedon.exe from sysinternals shows remote and local logged on users
- netusers.exe from somarsoft will also show previously logged on users with the /h switch
- C:\>net session will displya any active remote connections
- C:\>net use * \\\c$ /u:Administrator , to remote log on
- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree
- listdlls.exe from sysinternals will give you version information along with the command used to start the process
- handle.exe from sysinternals lists out everything the process is accessing
- c:\>tasklist /svc native to XP lists out processes along with window title information
- tlist from the windows debug kit is very functional http://www.microsoft.com/whdc/ddk/debugging/default.mspx
- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Remote Shell
- Net use \\machine\ipc$ /user:machine\administrator
- psexec \\machine cmd
Process Info Guidelines, at minimum collect the following:
-Process identifiers (PIDs) for each process running on the system (provided by most all tools)
-Process name (provided by most all tools)
-Length of time the process has been running (pslist.exe)
-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)
-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)
-User context that each process runs under (handle.exe, pulist.exe)
-Services running under each process (tlist.exe, tasklist.exe)
Additionally, the investigator will also want to collect the following:
-Handles used by each process (handle.exe)
-Modules (DLLs) used by each process (listdlls.exe)
Process Memory
- using pmdump.exe from http://www.ntsecurity.nu/toolbox/pmdump/ you can extract whats in memory for a given PID
- dd from http://users.erols.com/gmgarner/forensics/ will slice out entire physical memory contents
- c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096
Network Stat & Connections
- promiscdetect from http://www.ntsecurity.nu/toolbox/promiscdetect/ will find interfaces in promiscuous mode, locally
- netstat lists may 0.0.0.0 connections which results from apps binding to the INADDR_ANY constant
- on XP or newer, netstat -ano, the -o option lists the PID
- nbtstat -s, lists current netbios over tcpip sessions
- fport from http://www.foundstone.com/resources/freetools.htm will map ports with the full path of process
- net use lists out all shares currently mapped
- net share lists out all resource shared out on the system
- net session lists active SMB sessions made to the system over the network
- net file lists out any files in use by an active net session
Clipboard info
-pclip.exe from http://unxutils.sourceforge.net/ will dump clipboard info to STDOUT
Command History
- C:\> doskey /history will show command line history
Service & Drivers
- net start will list all services running but not device drivers
- sc.exe from resource kit and native on XP or newer
- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info
GPO settings
- can be used to determine how a system was compromised is settings were changed
- GPList from http://www.ntsecurity.nu/toolbox/gplist/ shows GPO's applied on a system
- GPResult.exe from Resouce kit shows settings of current user only
Protected Storage
- pstoreview.exe from http://www.ntsecurity.nu/toolbox/pstoreview/ can reveal user info in PS
MAC Information
- dir with /tw , /ta. /tc will give specific mac time information
- macmatch found here http://www.ntsecurity.nu/toolbox/macmatch/ will search a given time period
File permissions
- cacls, native to windows, will show permissions of any given file
File integrity
- md5deep from http://md5deep.sourceforge.net/ will calculate md5 hashes for you
Recycle Bin Analysis
- Rifiuti from http://www.foundstone.com/resources/forensics.htm will parse the INFO2 file
Registry Analysis
- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line
- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware
- keytime.pl from the book will show last write times for any given registry key
User Accounts
- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed
- last logon, time created, # of logins, and permissions will all be useful information
Event Logs
- Auditpol.exe from RK can be used to verify the level of logging set on the system
- dumpel.exe from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp will grab all el data
- D:\>psloglist –s –x system , from http://www.sysinternals.com/Utilities/PsLogList.html can be used remotely
File Analysis
- strings from http://www.sysinternals.com/Utilities/Strings.html will retreive ascii/unicode from hex
- bintext from http://www.foundstone.com/resources/proddesc/bintext.htm is a gui w/ a good filter
- ms has a dll lookup online http://support.microsoft.com/dllhelp/
- dependencywalker from http://www.dependencywalker.com/ has a gui to show all file dependencies
- WordLeaker will rip out word metadata, along with revision history, available at http://www.elligre.tk/madelman/madelman/index.php/archivos/2005/02/23/wordleaker-extracting-info-from-word-files/
- fdte from http://www.digital-detective.co.uk/freetools/fdte.asp will grab hidden dates & times from a binary
- you can view pdf metadata by using Adobe Reader, FILE | Document Properties
CA Identity Theft Law(SB 1386) - affects all companies doing business in CA
- http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
Know What To Look For
- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)
Infection Vectors
- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords
Malware Footprints
- often leave new files and directories
- added to startup C:\Documents and Settings\\Start Menu\Programs\Startup
- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs
- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks
- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"
- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon
- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command
- original value "%1"%*, other extension modified are .bat, .com, or .txt
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too
- Shell should be set to "Explorer.exe"
- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated
- malware can often be set up as a windows service, using srvany.exe (resource kit)
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q137/8/90.asp&NoWebContent=1&NoWebContent=1
- example C:\>path\instsrv.exe path\srvany.exe, by editing the following registry entry
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable
Rootkits
- popular Windows RK site is Greg Hoglund's site http://www.rootkit.com
- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory
- kernel-mode rootkit overides the TCB and hooks into all system calls
- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves
Forensics Server Projet(POC for automated system info collection)
- http://www.windows-ir.com/fsp.html, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install), can run on any port(default 7070)
- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), (NTSecurity.nu promiscdetect) and reg and auditpol from MS.
- FRU also requires the following perl scripts getos.pl, pclip.pl, e_cmd.pl, service.pl, getsys.pl, tasks.pl, regdump.pl, mdmchk.pl, shares.pl, dt.pl, and ip.pl
- the clean cmd.exe should be placed in the root directory of the CD-rom
- The File Client Component(fcli.pl) should be installed as apart of the FSP, it allows suspect files to be copied off
Scanners
- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z 10.1.1.15 ; will display open ports on given range.
- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 10.1.1.15 0-1024 ;
- portqry is microsoft's version; http://support.microsoft.com/?kbid=310099
Sniffers
- netmon is built in by microsoft; http://support.microsoft.com/kb/148942/EN-US/ ; can also be run remotely via SMS
- windump is another w32 tcpdump; http://www.winpcap.org/windump/docs/manual.htm
Notes
Windows Event Log
-clearing the Security Event Log generates event ID 517
-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"
-Logon events http://support.microsoft.com/default.aspx?kbid=174073
-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714
-More security Events http://support.microsoft.com/kb/174074/
CMD Line History
- doskey /history or the RunMRU registry key
File Associations
- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile
- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command
- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back
Hidden Files
- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes
Scheduled commands
- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks
File Signatures
- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension
- a good list of file headers http://www.techpathways.com/uploads/headersig.txt
File Times(MAC Times, Modified Accessed Created)
- C:\>dir /ta ----> lists in order last accessed
- The Unix touch cmd has been ported to windows http://www.dwam.net/docs/aintx/
- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog
FileBinding-
- Elitewrap will combine 2 files and compress http://homepage.ntlworld.com/chawmp/elitewrap/
- GUI version inPEct http://sysdlabs.hypermart.net/proj/inpect.txt
ADS(Alternate Data Stream)
- Lads will detect this http://www.heysoft.de/Frames/f_sw_la_de.htm
- Also Streams from sysinternals http://www.sysinternals.com/utilities/streams.html
- the best way to remove an ADS is to copy the file, delete the old, and rename
- ADS can also be created as directories ---> echo "FooBar" > :ads.txt
- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe
- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also
- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt
Registry Hiding
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp
Document Metadata
- Strings from sysinternals will also find metadata http://www.sysinternals.com/utilities/strings.html
- rhdtool from MS will remove metadata http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en
OLE Storage
-Merge Streams will combine files http://www.ntkernel.com/w&p.php?id=23
Steganography
- Free Tools at http://home.earthlink.net/~emilbrandt/stego/software.html (S-Tools4)
- Hydan is also popular http://www.crazyboy.com/hydan/
Windows Server Port List
- http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
NTFS Conversion
- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\
NSA Templates
- you can download OS templates for windows secedit(Local Security Policy) http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1
GPO settings
- gpresult.exe can be run to find policy settings http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
Login Restrictions
- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194739
IIS Application mappings
- using the MMC, bring up application mappings and disable all uneccessary mappings
- IIS Lockdown and URLscan can provide additional security for ISS servers
Windows File Protection
- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache
- the cmd line utility sfc can be used to replace modified files
Perl lib Win32::AdvNofity
- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you. http://idnopheq.perlmonk.org/perl/packages/x86/Win32/
Patch Management
- Download MBSA here http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
- Shavlik Trial http://www.shavlik.com/pDownloadForm4.aspx?productid=1
Web Vulnerability Assessment
- Free tools available at http://www.ntobjectives.com/freeware/index.php
Centralized Logging
- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)
- port reporter provides mapping logs http://support.microsoft.com/?id=837243
Volatile Information Recovery
- C:\>date /t && time /t , recovers system date and time for comparision
- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals
- psloggedon.exe from sysinternals shows remote and local logged on users
- netusers.exe from somarsoft will also show previously logged on users with the /h switch
- C:\>net session will displya any active remote connections
- C:\>net use * \\
- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree
- listdlls.exe from sysinternals will give you version information along with the command used to start the process
- handle.exe from sysinternals lists out everything the process is accessing
- c:\>tasklist /svc native to XP lists out processes along with window title information
- tlist from the windows debug kit is very functional http://www.microsoft.com/whdc/ddk/debugging/default.mspx
- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Remote Shell
- Net use \\machine\ipc$ /user:machine\administrator
- psexec \\machine cmd
Process Info Guidelines, at minimum collect the following:
-Process identifiers (PIDs) for each process running on the system (provided by most all tools)
-Process name (provided by most all tools)
-Length of time the process has been running (pslist.exe)
-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)
-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)
-User context that each process runs under (handle.exe, pulist.exe)
-Services running under each process (tlist.exe, tasklist.exe)
Additionally, the investigator will also want to collect the following:
-Handles used by each process (handle.exe)
-Modules (DLLs) used by each process (listdlls.exe)
Process Memory
- using pmdump.exe from http://www.ntsecurity.nu/toolbox/pmdump/ you can extract whats in memory for a given PID
- dd from http://users.erols.com/gmgarner/forensics/ will slice out entire physical memory contents
- c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096
Network Stat & Connections
- promiscdetect from http://www.ntsecurity.nu/toolbox/promiscdetect/ will find interfaces in promiscuous mode, locally
- netstat lists may 0.0.0.0 connections which results from apps binding to the INADDR_ANY constant
- on XP or newer, netstat -ano, the -o option lists the PID
- nbtstat -s, lists current netbios over tcpip sessions
- fport from http://www.foundstone.com/resources/freetools.htm will map ports with the full path of process
- net use lists out all shares currently mapped
- net share lists out all resource shared out on the system
- net session lists active SMB sessions made to the system over the network
- net file lists out any files in use by an active net session
Clipboard info
-pclip.exe from http://unxutils.sourceforge.net/ will dump clipboard info to STDOUT
Command History
- C:\> doskey /history will show command line history
Service & Drivers
- net start will list all services running but not device drivers
- sc.exe from resource kit and native on XP or newer
- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info
GPO settings
- can be used to determine how a system was compromised is settings were changed
- GPList from http://www.ntsecurity.nu/toolbox/gplist/ shows GPO's applied on a system
- GPResult.exe from Resouce kit shows settings of current user only
Protected Storage
- pstoreview.exe from http://www.ntsecurity.nu/toolbox/pstoreview/ can reveal user info in PS
MAC Information
- dir with /tw , /ta. /tc will give specific mac time information
- macmatch found here http://www.ntsecurity.nu/toolbox/macmatch/ will search a given time period
File permissions
- cacls, native to windows, will show permissions of any given file
File integrity
- md5deep from http://md5deep.sourceforge.net/ will calculate md5 hashes for you
Recycle Bin Analysis
- Rifiuti from http://www.foundstone.com/resources/forensics.htm will parse the INFO2 file
Registry Analysis
- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line
- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware
- keytime.pl from the book will show last write times for any given registry key
User Accounts
- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed
- last logon, time created, # of logins, and permissions will all be useful information
Event Logs
- Auditpol.exe from RK can be used to verify the level of logging set on the system
- dumpel.exe from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp will grab all el data
- D:\>psloglist –s –x system , from http://www.sysinternals.com/Utilities/PsLogList.html can be used remotely
File Analysis
- strings from http://www.sysinternals.com/Utilities/Strings.html will retreive ascii/unicode from hex
- bintext from http://www.foundstone.com/resources/proddesc/bintext.htm is a gui w/ a good filter
- ms has a dll lookup online http://support.microsoft.com/dllhelp/
- dependencywalker from http://www.dependencywalker.com/ has a gui to show all file dependencies
- WordLeaker will rip out word metadata, along with revision history, available at http://www.elligre.tk/madelman/madelman/index.php/archivos/2005/02/23/wordleaker-extracting-info-from-word-files/
- fdte from http://www.digital-detective.co.uk/freetools/fdte.asp will grab hidden dates & times from a binary
- you can view pdf metadata by using Adobe Reader, FILE | Document Properties
CA Identity Theft Law(SB 1386) - affects all companies doing business in CA
- http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
Know What To Look For
- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)
Infection Vectors
- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords
Malware Footprints
- often leave new files and directories
- added to startup C:\Documents and Settings\
- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs
- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks
- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"
- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon
- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command
- original value "%1"%*, other extension modified are .bat, .com, or .txt
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too
- Shell should be set to "Explorer.exe"
- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated
- malware can often be set up as a windows service, using srvany.exe (resource kit)
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q137/8/90.asp&NoWebContent=1&NoWebContent=1
- example C:\>path\instsrv.exe
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable
Rootkits
- popular Windows RK site is Greg Hoglund's site http://www.rootkit.com
- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory
- kernel-mode rootkit overides the TCB and hooks into all system calls
- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves
Forensics Server Projet(POC for automated system info collection)
- http://www.windows-ir.com/fsp.html, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install
- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), (NTSecurity.nu promiscdetect) and reg and auditpol from MS.
- FRU also requires the following perl scripts getos.pl, pclip.pl, e_cmd.pl, service.pl, getsys.pl, tasks.pl, regdump.pl, mdmchk.pl, shares.pl, dt.pl, and ip.pl
- the clean cmd.exe should be placed in the root directory of the CD-rom
- The File Client Component(fcli.pl) should be installed as apart of the FSP, it allows suspect files to be copied off
Scanners
- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z 10.1.1.15
- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 10.1.1.15 0-1024 ;
- portqry is microsoft's version; http://support.microsoft.com/?kbid=310099
Sniffers
- netmon is built in by microsoft; http://support.microsoft.com/kb/148942/EN-US/ ; can also be run remotely via SMS
- windump is another w32 tcpdump; http://www.winpcap.org/windump/docs/manual.htm
Comments
Post a Comment